`ruby-saml` version 2.x major version

[dblessing]

This gem currently pins ruby-saml to ~> 1.18. The upstream maintainers are working on v2.x now. How would omniauth-saml like to handle the major version update for the dependency?

I've tested omniauth-saml with the v2.x branch and it works without modification, other than the dependency pin. However, there may be a few changes in the gem which do cause breaking changes for omniauth-saml users depending on their use and configuration. ruby-saml has a v2.x upgrading document at https://github.com/SAML-Toolkits/ruby-saml/blob/v2.x/UPGRADING.md.

An example where a v2.x change is likely to break things for omniauth-saml users is the default idp_cert_fingerprint will change from SHA1 to SHA256. To continue using SHA1, users will need to explicitly set idp_cert_fingerprint_algorithm.

Should omniauth-saml also experience a major version bump to coincide with ruby-saml v2.x, or is a minor version bump sufficient?

[bufferoverflow]

Right now I would say we could do a 2.3.x for this, the major version was last time bumped for omniauth 2.

[ilikepi]

Is the configuration language of omniauth-saml considered part of its "public API"? On one hand, it seems like the settings themselves are all just delegated to ruby-saml, but when you look at usage examples in practice, it gets a little fuzzy...